topic Re: Show me all events where field value not present? in Splunk Search

Show me all events where field value not present?

yepyepyayyooo — Wed, 30 Sep 2020 03:27:09 GMT

Greetings good people,

i may be over thinking things or didn't get enough sleep. I need to return results where a field value is not present at all (0%) i.e. no event coverage for the given value. Not field but field value. For example.

Let's say we have a field called source_zone and possible values of INT, DMZ, or EXT.

I would like to see all events where there are 0 results for source_zone="EXT". This is not the same as source_zone!="EXT" because that is filtering out the results.

Kindly advise and thanks.

Re: Show me all events where field value not present?

richgalloway — Mon, 30 Dec 2019 14:45:51 GMT

Finding something that is not there can be challenging.

Perhaps https://www.duanewaddle.com/proving-a-negative/ will help.

There also NOT source_zone="EXT" which is not the same as source_zone!="EXT".

Re: Show me all events where field value not present?

oscar84x — Mon, 30 Dec 2019 14:47:42 GMT

Hi. You can try:

index=your_index sourcetype=your_sourcetype NOT source_zone=EXT

As per Splunk best practices, however, inclusion is better than exclusion. So if you have a small number of possible values it might be better to search for all the values you want rather than the one you don't.

https://docs.splunk.com/Documentation/Splunk/8.0.1/Search/NOTexpressions

Re: Show me all events where field value not present?

mydog8it — Mon, 30 Dec 2019 14:58:04 GMT

The way I read your question, you want events that have no value in the source_zone field. If that's the case, try something like this:

your_search | where isnull(source_zone)

If you want to get all results that do not equal "EXT", try this:

your_index your_sourcetype source_zone!=EXT

Re: Show me all events where field value not present?

yepyepyayyooo — Mon, 30 Dec 2019 15:22:48 GMT

Doesn't this filter out results? I need to see if condition true show me everything else. I need something like

where source_zone value EXT is nonexistent, show me those results

Re: Show me all events where field value not present?

oscar84x — Mon, 30 Dec 2019 15:30:27 GMT

From the link I posted above: Searching with NOT - If you search with the NOT operator, every event is returned except the events that contain the value you specify. This includes events that do not have a value in the field.

So unlike !=, it will return events that don't have that value. Not just exclude the ones that have it.

Re: Show me all events where field value not present?

to4kawa — Tue, 31 Dec 2019 01:06:24 GMT

your_search
| eventstats count(eval(source_zone="EXT")) as check
| where check < 1

Hi, @yepyepyayyooo
how about this?